What’s the best way to protect against dynamic file access using URL variables? I’m

Question

0

Asked: June 5, 20262026-06-05T05:27:46+00:00 2026-06-05T05:27:46+00:00

What’s the best way to protect against dynamic file access using URL variables? I’m

0

What’s the best way to protect against dynamic file access using URL variables? I’m concatenating two URL variables that will form the filename I want to access which will load XML.

$type = $_REQUEST['type']
//(ie. AB);
$timeframe = $_REQUEST['timeframe']
//(ie. 00.04);

//create XML document object model (DOM)
$main_doc = new DOMDocument();
$s = SITE_DIR."/data/file.".$type.".".$timeframe.".xml"; 
// example file.AB.00.04.xml)
// will be adding test to see if file exists
$main_doc->load($s);

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-05T05:27:49+00:00

Editorial Team

2026-06-05T05:27:49+00:00Added an answer on June 5, 2026 at 5:27 am

You should check that the request string does not contain “..” and also doesn’t contain “/” (or “\” if you’re on windows) so that the path does not point to a directory other than one you are referencing.

Perhaps try this:

$timeframe = str_replace(array('..','/','\'),array('','',''),$timeframe);

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

What’s the best way to protect against dynamic file access using URL variables? I’m

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply